CAREERS

Can Your Network Beat Malware?

Test aggressively using simulated but realistic network traffic scenarios, making sure to strike a balance between security and organizational performance.

(click image for larger view)

The Syrian Electronic Army: 9 Things We Know

Nearly every IT environment uses security systems to help detect and stop malware. These might include firewalls that can be configured with various rules, UTM systems offering content filtering, gateway antivirus software, deep packet inspection (DPI) and intrusion prevention systems (IPS).

Unfortunately, in most enterprises, testing security measures is at best neglected and at worst completely overlooked. According to a recent PandaLabs report, more than 74,000 new malwarestrains are created every day. Given this large volume of new threats, companies can put themselves at risk with just one misconfiguration on a firewall port.

Despite all of the tools at the IT department's disposal to find and prevent malware, threats still find a way to infect various systems. Stopping malware requires consistent testing of these systems to make sure they can handle the latest threats under the most intense real-world scenarios.

Key Challenges

BYOD policies introduce a whole new level of complexity for preventing malware. IT groups need to consider that user devices might not have the required security software or have out-of-date patches. Companies that allow personal devices for work purposes need to find the right balance between implementing safeguards on devices and also understanding they don't have complete control.

A recent study from Enterprise Strategy Group (ESG) on advanced malware protection and detection polled 315 North American-based IT security professionals working at enterprise-level firms who have seen a rise in more sophisticated malware during the past two years. Malware criminals continue to invent new ways to both hide threats and amplify the malware's ability to avoid detection and elimination. Many criminals are turning to mobile-based malware to steal money from users. For example, they might misuse SMS shortcodes purchases (typically used for donations) to encourage fraud or use malware to gather personal and business-related information about the user.

Finding The Balance

Companies that implement aggressive malware policies need to strike a balance between network security and organizational performance. Controls cannot be so restrictive that they get in the way of systems being efficient and workers doing their jobs. Testing with the right tools can help companies identify and strengthen weak points which, in turn, should help them avoid implementing overly restrictive policies for staff.

What's the right methodology for testing? A proven testing method is PASS, which stands for four interdependent variables: performance, availability, security and scalability. This method is based on the fundamental IT principle that there needs to be reasonable trade-offs between these variables. Malware prevention also follows this dynamic, where IT protection requirements cannot be so strict as to prevent access to the very systems that keep the business running.

Good PASS testing covers the following: Performance testing can help you understand the metrics, such as response time of the infrastructure while under attack. Availability tests can focus on checking if your systems properly fail close or fail open during key events. Security tests can include checks around currency of your malware database and potentially uncover holes because of slow updates. Finally, scalability tests can ascertain how many users the system can handle before, during and after an attack.

Best Practices To Perform Testing

Companies should review how critical security devices such as gateways, firewalls, and IDS respond to realistic and scaled attacks and traffic. Testing should ideally be conducted while authentic traffic is going through the network to see how different components respond under stress.

Systems such as DPI look much more closely into any traffic passing through the network to enforce policies driven by security concerns. For instance, an IT organization might want to understand if customers or employees are using Skype for instant messaging, voice calls or file transfers. DPI systems will not be fully tested unless they are put under real malware payloads. It's essential for the testing tool to emulate traffic from malware-infected systems in addition to perimeter defense and to be able to do this at scale. For example, malware testing should be done with both secure and insecure traffic, and testing services must also have an updated library of the latest malware signatures.

A PASS methodology can answer multiple questions regarding malware readiness including: What is the impact on user QoS (quality of service) in terms of latency? When devices enter fail open or close states do related services also go down? How many pieces of malware can current systems detect? How many users can be supported while under attack?

The best security system testing requires that you send through a wide range of malware-based attacks during periods of realistic simulated network traffic. Companies that proactively choose the right test equipment and do aggressive testing will be able to stop and manage the effects of complex malware attacks.